Paranoia, OpenDXL, and the Second Economy

You are not paranoid. They are out to get you. McAfee research showed that more than half (56%) of 2015 investigations resulted from a targeted activity by criminals, insiders, or nation states. This dominance increases the urgency to change our approach to security operations practices.

The new book, The Second Economy, by McAfee CTO Steve Grobman and CMO Allison Cerra, documents the vulnerability of digital systems using parallels from physical systems and presents a call to action for the InfoSec community. It is approachable for non-security folks, yet meaningful for practitioners.

The Second Economy identifies several specific problems the industry has created and needs to work together to overcome:

• Information hoarding: By restricting access to threat intelligence, we make it easier for the bad guys to outwit and outpace our defenses.
• Technology sprawl: The best practice of individual “best of breed” products working as “defense in depth” has been valued more highly than overall effectiveness and efficiency. What worked when we relied on antivirus and firewalls doesn’t work in the second economy of distributed digital systems.
• Change: The pace of change in software, technology, and business requirements inevitably results in vulnerabilities that are difficult to detect and fix. Change also introduces beneficial new ideas and tools more quickly than most companies can adopt them.

After demonstrating why action is important, the book gives ideas about which actions will bear fruit.

A central theme is integration, orchestration, and automation of security activities. As an evangelist for optimized security operations for the last decade, I couldn’t agree more. Investing in effective security operations can alter the rules of engagement to increase the odds for the white hats. This strategy enables successful teamwork between CISOs, Security Architects, SOC teams and the IT operational forces with whom they collaborate. It also improves your organization’s ability to execute by reducing the operational friction that holds all of these people back.

Today, McAfee announces new help for the Second Economy recommendation to integrate, orchestrate, and automate, a strategic initiative for developers called the Open Data Exchange Layer (OpenDXL). Through an open source strategy and the beta release of an updated software development kit (SDK) for DXL, “white hats” gain the ability to quickly attach to a shared real-time communication fabric and conveniently exchange security intelligence as well as orchestrate actions for the shortest possible execution of the threat defense lifecycle.

OpenDXL directly acts against the three obstacles of information hoarding, technology sprawl, and change:

1. Anti-hoarding: OpenDXL expands access to otherwise hard-to-obtain data to enrich analysis and processes. This data supports new capabilities, such as detection and triage analytics to incorporate behavior, context, and rapidly changing threat and organizational data.
2. Anti-sprawl: Two lightweight integration models, publish/subscribe and request/response, provide ways to unite data and processes. Proprietary APIs can be wrapped to enable use in an orchestrated system, and the wrappers can be shared and leveraged by the broader community.
3. Change-friendly: An abstraction layer insulates individual applications from changes others make, replacing expensive and repeated work and integration maintenance.

The OpenDXL initiative builds on a maturing technology foundation that many vendors and enterprises already use. As part of its technology partnering program, the McAfee Security Innovation Alliance, McAfee has been working with independent software vendors (ISVs) and enterprises since 2014 to adopt and validate the importance and positive impact of an open communication fabric. By attaching to a common application framework, each participant enters into a unified ecosystem, one that gains value and capability as the network effect activates. The value to the industry takes many forms:

• Replaces significant integration cost and effort spent today, since more than half (53%) of companies develop their own integration technologies. (Frost & Sullivan, The 2015 (ISC)2 Global Information Security Workforce Study)
• Shortens protection, detection and correction processes by 30-85% through a more tightly integrated operational environment, as documented in customer interviews and our lab.
• Frees skilled resources to spend on higher value effort, to overcome the cybersecurity skills shortage. (Hacking the Skills Shortage, Intel Security, 2016.)

By opening DXL to the industry through an open software development kit (SDK), more enterprises, developers, and organizations can participate to expand the value and impact of a DXL deployment: we are activating the Network Effect.

The SDK enables a unified model for integrating software vendors’ best ideas with in-house developed and legacy systems to turn an unwieldy, unsustainable set of tools and data sets into a system that functions in real time and is easier to build, test, and maintain consistently. It reduces the error, disruption, and change that create vulnerability up front and over the business’ life.

Together—through better sharing of intelligence and tighter integration of the systems that use it—we as an industry create a security operations platform that connects the good guys in a collaborative team.